Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
5817
Views
0
Helpful
2
Replies

How to Disable VRFY and RCPT

Go to solution
pthiga1234
Level 1
Level 1

‎02-26-2015 10:43 PM

How does one disable VRFY and RCPT on Ironport AsyncOS for Email Security 7.6 and what is the impact? I understand an attacker can perform an account enumeration and verify whether e-mail accounts exist and a spammer can automate the method to perform a directory harvest attack and send spam emails.

Thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Bob Fayne
Level 1
Level 1

‎03-02-2015 08:44 AM

There are three SMTP commands that apply here.

 

VRFY - not implemented by ESA. ESA will respond "250 ok" to everything

EXPN - not implemented by ESA. ESA always responds "500 command not recognized"

RCPT - can't be "disabled" as there is no other way to specify envelope recipients.

 

I would recommend that you set up LDAP Accept and DHAP (Directory Harvest Attack Prevention). That will allow the ESA to stop dictionary attacks. Once too many bad recipients have been tried the appliance will reject all recipients from that IP address for an hour.

 

DHAP is normally best set up to function during the SMTP conversation and to drop connections. If you enable it during the work queue your appliance can get bogged down with undeliverable outgoing messages from all the bounces. Dropping the connection can help with botnets since they usually don't waste time by re-queuing messages to be tried later.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Jernej Vodopivec
Level 4
Level 4

‎02-26-2015 11:42 PM

You can configure directory harvest attack by setting maximum number of invalid recipients per hour one sender can hit.

For example: if sender (server) will type 5 invalid recipients in RCPT to field all communication is dropped for defined period of time.

To find out how to configure it see page 620 in user guide: http://www.cisco.com/c/dam/en/us/td/docs/security/esa/esa8-0/user_guide/ESA_8-0_User_Guide.pdf

 

If you want to prevent harvest attack by not telling sender that user doesn't exist during SMTP conversation (when typing RCPT...) you can do in by doing DHAP within the work queue. Sender will see "recipient OK" during SMTP conversation but the message will be rejected afterwards - within the work queue. Sender will receive the bounce message.

To find out how to configure it see page 622 in user guide: http://www.cisco.com/c/dam/en/us/td/docs/security/esa/esa8-0/user_guide/ESA_8-0_User_Guide.pdf

0 Helpful

Go to solution
Bob Fayne
Level 1
Level 1

‎03-02-2015 08:44 AM

There are three SMTP commands that apply here.

 

VRFY - not implemented by ESA. ESA will respond "250 ok" to everything

EXPN - not implemented by ESA. ESA always responds "500 command not recognized"

RCPT - can't be "disabled" as there is no other way to specify envelope recipients.

 

I would recommend that you set up LDAP Accept and DHAP (Directory Harvest Attack Prevention). That will allow the ESA to stop dictionary attacks. Once too many bad recipients have been tried the appliance will reject all recipients from that IP address for an hour.

 

DHAP is normally best set up to function during the SMTP conversation and to drop connections. If you enable it during the work queue your appliance can get bogged down with undeliverable outgoing messages from all the bounces. Dropping the connection can help with botnets since they usually don't waste time by re-queuing messages to be tried later.

0 Helpful
Top